Audit Log Rule Sets¶
Audit log rule sets are available to manage the level of detail in audit logs. Types of logs can be added to or removed from rule sets by means of log audit ruleset command line parameters.
The following table shows rule sets and their default state:
| Option | Name | Enabled |
|---|---|---|
| 1 | Default Rules | true |
| 2 | CLI Commands | true |
| 3 | Users and Groups | false |
| 4 | Network Events | false |
| 5 | Security | false |
| 6 | Software Management | false |
| 7 | Root Commands | false |
| 8 | File Access | false |
For details on the logs associated with the rules, see:
- Types of command and change logs in audit rules
- the audit log description under Log Types
This means that by default, the audit log only shows logs associated with the default audit rules (1) and any VOSS-4-UC platform CLI commands (2).
The following parameters are available for the command log audit ruleset:
log audit ruleset list
Show the current ruleset, in other words the enabled and disabled rules.
For example, consider the following (non-default option 7 has been enabled):
$ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 7 Root Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Accesslog audit ruleset disable 1,2
Disable rules 1 and 2 from the rule set.
Note
The parameter syntax is a comma separated list of option numbers without spaces.
For example:
$ log audit ruleset disable 1,2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 7 Root Commands Rules Disabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Accesslog audit ruleset enable 2
Enable rule 2 from the rule set.
For example:
$ log audit ruleset enable 2 $ log audit ruleset list Option Name ------ ---- Rules Enabled 2 CLI Commands 7 Root Commands Rules Disabled 1 Default Rules 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Accesslog audit ruleset enable all
Enable all the rules.
For example:
$ log audit ruleset enable all $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands Rules Disabledlog audit ruleset default
Reset the rules to the default set.
For example:
$ log audit ruleset default $ log audit ruleset list Option Name ------ ---- Rules Enabled 1 Default Rules 2 CLI Commands Rules Disabled 3 Users and Groups 4 Network Events 5 Security 6 Software Management 8 File Access 7 Root Commands
Types of command and change logs in audit rules¶
| Option # | Name | Purpose |
|---|---|---|
| 1 | Default Rules | Audit mgt tool, kernel , mount, swap, stunnel, cron events |
| 2 | CLI Commands | All Voss CLI commands logged in a clear text format |
| 3 | Users and Groups | User, group, sudo, password, login/logout events |
| 4 | Network Events | Hostname, pam, ssh, systemd, access failures, power state, session initiation, access control, etc |
| 5 | Security | Suspicious activity, reconnaissance, code injection, and privilege abuse |
| 6 | Software Management | Package management (dpkg, apt, aptitude) |
| 7 | Root Commands | Commands executed as root (high volume) |
| 8 | File Access | File access failures and deletion |
